MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1a56b552e30f05fb06ee8316630dbad0f2cd5903c16dbb7005c4e2c461a339d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments

SHA256 hash: d1a56b552e30f05fb06ee8316630dbad0f2cd5903c16dbb7005c4e2c461a339d
SHA3-384 hash: 1649f815489a6d445b8e0943f15ab7e2b66cb6a0256ec4afc8f8fbbe5961c7f7f7a8ce75d3368731ddd2e9df6f8777f4
SHA1 hash: 04cc6ed3a5d38a52cd01b00cf6a4f77bbfa8d356
MD5 hash: 9f554d650d3c2c327bfe877d6d10101c
humanhash: xray-coffee-cardinal-social
File name:2025年第三季度内职人员违纪名单信.exe
Download: download sample
File size:800'072 bytes
First seen:2026-01-09 18:44:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 44ca2572174533bc8e396211525d7211
ssdeep 12288:LohvzZWd5GUXUmRJ9J8Hh1H0bcBRDhw8fZpHG:LmvzStUmcbQ4Ygm
TLSH T19905020ED3AE98C5E43362F4C2A6E780D466B4609B76069B3FD0445C1DBB9D90E73BC9
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 64646c646a6b6919 (4 x ValleyRAT, 1 x Fuery)
Reporter Ling
Tags:exe Trojan:Win32/Wacatac.H!ml wacatac


Avatar
CNGaoLing
Trojan:Win32/Wacatac.H!ml

Intelligence


File Origin
# of uploads :
1
# of downloads :
103
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
2025年第三季度内职人员违纪名单信.exe
Verdict:
Malicious activity
Analysis date:
2026-01-09 18:44:33 UTC
Tags:
valleyrat rat remote silverfox winos

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Tags:
shellcode emotet shell sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
DNS request
Connection attempt
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug expired-cert invalid-signature microsoft_visual_cc signed
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-09T00:54:00Z UTC
Last seen:
2026-01-11T06:09:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.PoolInject.efw Trojan.Win32.Waldek.sb Trojan.Win32.PoolInject.sba Trojan.Win32.Inject.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Androm
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Threat name:
Win64.Malware.Heuristic
Status:
Malicious
First seen:
2026-01-09 05:42:24 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
14 of 24 (58.33%)
Threat level:
  2/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
d1a56b552e30f05fb06ee8316630dbad0f2cd5903c16dbb7005c4e2c461a339d
MD5 hash:
9f554d650d3c2c327bfe877d6d10101c
SHA1 hash:
04cc6ed3a5d38a52cd01b00cf6a4f77bbfa8d356
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments